Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)

Server-side encryption protects data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) uses strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy. For example, the following bucket policy denies permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption:

{ "Version": "2012-10-17", "Id": "PutObjPolicy", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::YourBucket/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } }, { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::YourBucket/*", "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } } } ] }

Server-side encryption encrypts only the object data, not object metadata.

API Support for Server-Side Encryption

To request server-side encryption using the object creation REST APIs, provide the , x-amz-server-side-encryption request header. For information about the REST APIs, see Specifying Server-Side Encryption Using the REST API.

The following Amazon S3 APIs support this header:

  • PUT operations—Specify the request header when uploading data using the PUT API. For more information, see PUT Object.

  • Initiate Multipart Upload—Specify the header in the initiate request when uploading large objects using the multipart upload API . For more information, see Initiate Multipart Upload.

  • COPY operations—When you copy an object, you have both a source object and a target object. For more information, see PUT Object - Copy.

Note

When using a POST operation to upload an object, instead of providing the request header, you provide the same information in the form fields. For more information, see POST Object.

The AWS SDKs also provide wrapper APIs that you can use to request server-side encryption. You can also use the AWS Management Console to upload objects and request server-side encryption.

Note

You can't enforce SSE-S3 encryption on objects that are uploaded using presigned URLs. You can specify server-side encryption only with the AWS Management Console or an HTTP request header. For more information, see Specifying Conditions in a Policy.